Methods, systems, and computer readable media for increasing the rate of established network connections in a test simulation environment

ABSTRACT

Methods, systems, and computer readable media for increasing the rate of established network connections in a test simulation environment are disclosed. The method includes generating, by a network equipment test device in a test simulation environment, a random integer. The method further includes designating the generated random integer as a first twin prime value in the event the generated random integer is a prime number and designating, by the network equipment test device, a generated sum of the first twin prime value and a designated value as a second twin prime value in the event the generated sum is a prime number. The method also includes generating a custom key certificate pair that includes a public encryption key and a private decryption key using the first twin prime value and the second twin prime value and decrypting at least one message received from a device under test using the private decryption key.

TECHNICAL FIELD

The subject matter described herein relates to establishing simulatedsession connections in a test simulation environment. More particularly,the subject matter described herein relates to methods, systems, andcomputer readable media for increasing the rate of established networkconnections in a test simulation environment.

BACKGROUND

At present, RSA key generation is an integral part of the secure socketlayer (SSL) connection establishment process. However, this keygeneration process accounts for a considerable amount of thecomputational load associated with the private key decryptionprocessing. Specifically, the computational load associated private keydecryption operation conducted by an emulated server is considerablydisproportionate to the load subjected to an emulated client that isconducting public encryption processing. In light of this significantdrawback, a large bottleneck occurs at the server entity responsible forexecuting the private key decryption operation. Thus, any reduction oftime associated with the determination of encryption and decryption keysmay be extremely beneficial for the sake of testing efficiency.

Thus, there exists a need for methods, systems, and computer readablemedia for increasing the rate of established network connections in atest simulation environment.

SUMMARY

Methods, systems, and computer readable media for increasing the rate ofestablished network connections in a test simulation environment aredisclosed. In some embodiments, a method includes Methods, systems, andcomputer readable media for increasing the rate of established networkconnections in a test simulation environment are disclosed. The methodincludes generating, by a network equipment test device in a testsimulation environment, a random integer. The method further includesdesignating the generated random integer as a first twin prime value inthe event the generated random integer is a prime number anddesignating, by the network equipment test device, a generated sum ofthe first twin prime value and a designated value as a second twin primevalue in the event the generated sum is a prime number. The method alsoincludes generating a custom key certificate pair that includes a publicencryption key and a private decryption key using the first twin primevalue and the second twin prime value and decrypting at least onemessage received from a device under test using the private decryptionkey.

The subject matter described herein for enhancing network connectionrates in a test simulation environment may be implemented in hardware,software, firmware, or any combination thereof. As such, the terms“function” or “module” as used herein refer to hardware, which may alsoinclude software and/or firmware components, for implementing thefeature being described. In one exemplary implementation, the subjectmatter described herein may be implemented using a computer readablemedium having stored thereon computer executable instructions that whenexecuted by a hardware based processor of a computer control thecomputer to perform steps. Exemplary computer readable media suitablefor implementing the subject matter described herein includenon-transitory computer-readable media, such as disk memory devices,chip memory devices, programmable logic devices, and applicationspecific integrated circuits. In addition, a computer readable mediumthat implements the subject matter described herein may be located on asingle device or computing platform or may be distributed acrossmultiple devices or computing platforms.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the subject matter described herein will now beexplained with reference to the accompanying drawings, wherein likereference numerals represent like parts, of which:

FIG. 1 illustrates a block diagram of an exemplary system for increasingthe rate of established network connections in a test simulationenvironment according to an embodiment of the subject matter describedherein;

FIG. 2 illustrates a flow chart for generating a custom key certificatepair based on designated twin prime values according to an embodiment ofthe subject matter described herein;

FIG. 3 illustrates an exemplary handshake procedure that utilizes acustom key certificate pair based on designated twin prime valuesaccording to an embodiment of the subject matter described herein; and

FIG. 4 illustrates a flow chart of a method for increasing the rate ofestablished network connections in a test simulation environmentaccording to an embodiment of the subject matter described herein.

DETAILED DESCRIPTION

Methods, systems, and computer readable media for increasing the rate ofestablished network connections in a test simulation environment aredisclosed. In some embodiments, the present subject matter involves thedetermination, by a network equipment test device, of twin prime valuesthat are utilized to generate a custom key exchange pair comprisingcryptographic keys for use in a test simulation session within a testingenvironment. Notably, the present subject matter affords thedistribution of the computational load associated with a server entityor device that is tasked to decrypt a client key exchange messagereceived from a device under test for the purpose of increasing thenumber of SSL connections that can be established within a testsimulation environment. As used herein, SSL may be used to refer to thesecure socket layer protocol and/or the transport security layer (TSL)protocols.

Notably, many networking security devices are required by customerdemand to measure the speed in which new TCP/SSL connections per secondfor different SSL key-certificate sizes can be established for a varietyof testing reasons, such as performing SSL deep inspection, simulate a“man-in-the middle” attack, or the like. In order to test these networksecurity devices, local ports on a network equipment test device may beconfigured to function as both a client (i.e., an emulated client) and aserver (i.e., an emulated server). As such, a network security deviceunder test (DUT), which is communicatively connected to the networkequipment test device, can be configured to handle at least two SSLconnections. Namely, one SSL connection that is initiated by theemulated client and another SSL connection in which the DUT hasinitiated with the emulated server. Since RSA cipher suites are beingwhile conducting an SSL handshake, the server is required to decrypt theclient key exchange message from a DUT using its own private decryptionkey in order to retrieve a symmetric key and/or a pre-master secret(which will be used to encrypt the communicated end-user data). Inparticular, the use of the private decryption key to decrypt the clientkey exchange message places a significant computational load on theemulated server and imposes a processing bottleneck on that serverentity. This processing bottleneck is the primary the reason that a DUTachieves a lower number of SSL connections per second in a testenvironment. Notably, achieving a greater number SSL connections persecond is a key goal for any security test solution.

The disclosed subject matter affords a method of enhancing SSLconnections per second performance by generating a custom keycertificate pair wherein twin prime values ‘q’ and ‘p’ (where p=q+2) areselected and designated by a cipher manager as the RSA prime values.Notably, this pair of twin prime values is strategically selected suchthat the RSA public modulus, ‘n,’ is equal to the product of the twinprime values, i.e., n=q(q+2)). The selection and designation of the twinprime values as RSA prime values enables a significant reduction of thecomputational load that is subjected on an emulated server and therebyincreases the SSL connection per second performance between a DUT andthe emulated server in a test environment. One technical advantage ofthe disclosed approach is that the custom key certificate pair, which isbased on the selected twin prime values may be utilized as input to theRSA algorithm. In particular, a custom key certificate pair that isgenerated using the selected twin prime values is processed like anyother key-certificate pair. Namely, the RSA algorithm does not requireany software code modification in order to receive the custom keycertificate pair.

As indicated above, the RSA algorithm typically specifies that two largeprime numbers identified as ‘p’ and ‘q’ are selected. The RSA algorithm,which may be executed by a cipher manager, subsequently computes an RSApublic modulus ‘n’ by determining the product of ‘p’ and ‘q’ (e.g.,n=p*q) (e.g., step A). Next, the RSA key size, which is determined bythe number of bits in ‘n’, is calculated. In particular, the RSA keysize is determined by the size of ‘n’ in bits, or more specifically, thenumber of bits that is needed to represent the decimal value of ‘n’ in abinary number system. This value may be represented by the parameter,‘length_in_binary(n)’. The RSA algorithm subsequently computes Φ(n),which is equal to the product of (p−1) and (q−1) (e.g., step B). Aftercalculating Φ(n), a public exponent represented by the integer ‘e’ isselected such that such that i) 1<e<Φ(n) and ii) the greatest commondenominator (GCD) of (e, Φ(n))=1 (e.g., step C). After ‘e’ is selected,a private exponent represented by the value ‘d’ is computed such thate*d=1 mod(Φ(n)) (i.e., d=[1 mod(Φ(n))]/e) (e.g., step D).

After computing these values (e.g., steps A-D), the RSA algorithmgenerates a public encryption key (e, n) and a private decryption key(d, n). In a live network environment, client key exchange messages thatare sent by a client are encrypted by the client using a public key of aserver. Further, client key exchange messages received by the serverwill be decrypted by the server using the server's private decryptionkey. The RSA algorithm may be used to perform public key basedencryption of a message ‘m’ to be sent to a receiving entity (e.g., theserver) using the formula c=m^(e) mod(n), where ‘c’ represents thecipher or encrypted message. Similarly, decryption of the encryptedmessage is performed by the receiving entity using the formula m=c^(d)mod(n) in order to retrieve the original message ‘m.’

As an example, the public exponent ‘e’ equal to 65537, which amounts to17 bits long (i.e., length_in_binary(65537)=17), may be selected by aserver entity. Notably, this value is typically minimized in length inorder to promote computational efficiency, since the public encryptionis oftentimes performed by a browser and/or a computing device withsignificantly low processing power (as compared to a server device).Since ‘e’ amounts to a size of 17 bits, the size of ‘d’ bitwise will bevery close to the size of ‘n’ in the binary number system. Morespecifically, since ‘e’ has significantly few bits than the publicmodulus ‘n’, the length_in_binary(d) is therefore nearly equal tolength_in_binary(n)). Notably, each of RSA public encryption and RSAprivate decryption involves modular exponentiation with respect to theRSA public modulus ‘n’. Modular exponentiation can be conducted by acipher manager configured to execute a bit scanning algorithm. Notably,the cipher manager is configured to scan an exponent value in a bitwisemanner, and if ‘k’ represents the number of bits in the exponent, thenthe computational cost of modular exponentiation for any number of bitsis proportional to k³. For a private key based decryption operation, theexponent scanned by the cipher manager is ‘d’ while for a public keybased encryption operation, the exponent scanned by the cipher manageris ‘e’. Thus, since exponent ‘d’ is considerably larger in size(bitwise) than exponent ‘e’, the computational cost of privatedecryption, which is proportional to (length_in_binary(d))³ issignificantly greater than the computational cost of public encryption,which is proportional to (length_in_binary(e))³.

Moreover, the efficient implementation of RSA private decryption isaccomplished by a cipher manager using the Chinese Remainder Theorem(CRT). Notably, utilization of CRT is possible by a server entity sincethe factors of n (i.e., prime values ‘p’ and ‘q’) are known. Forexample, CRT can be performed by precomputing values dP, dQ, and q⁻¹ inthe event p>q and n=p*q. Notably, a cipher manager can calculate anddesignate ‘dP’ as being equal to ‘d*mod(p−1)’ and dQ as being equal to‘d*mod(q−1)’. A cipher manager further calculates and designates q⁻¹,such that q*q⁻¹=1 mod p. In order to compute the message ‘m’ (given thecipher c), a cipher manager is configured to execute and designatem1=c^(dP) mod(p) and m2=c^(dQ) mod(q), where m1 and m2 are mathematicalvariables defined to help facilitate the CRT application in RSA privatedecryption (e.g., assist with reconstructing the message back from thecipher). Further, a cipher manager subsequently utilizes the computedvalues to calculate, ‘h’ (which is another defined mathematical variablethat helps facilitate the CRT application in RSA private decryption).Specifically, a cipher manger determines h=q⁻¹*(m1−m2) mod (p). Upondetermining h, the cipher manager obtains message ‘m’ by calculatingm2−h*q.

Consequently, if ‘x’ is designated by a cipher manager to represent thenumber of bits in n (e.g., x=length_in_binary(n)), then each of primesvalues p and q is equal to approximately the size of x/2 bits. Thus, thesize of dP and dQ, at most, will each be equal to x/2 bits. As such,computational cost of computing each of m1 and m2 will be approximatelyproportional to x³/8. Since the size of the exponent in the computationof m1 and m2 is approximately half that of ‘n,’ a cipher manager'scomputation for each of m1 and m2 is much faster than decrypting thecipher using the public exponent and modulus.

FIG. 1 is a block diagram illustrating an exemplary architecture for atest simulation system 100 according to an embodiment of the subjectmatter described herein. Referring to FIG. 1, test simulation system 100includes a network equipment test device 102 that is communicativelyconnected to a device under test (DUT) 104 in a test simulationenvironment. For example, network equipment test device 102 may becommunicatively connected to DUT 104 via a wired connection or awireless connection that facilitates the communication and/or transferof encrypted packet traffic. In some embodiments, DUT 104 may include aserving gateway (SGW), a packet data network gateway (PGW), a firewalldevice, a router device, a network address translation (NAT) device, orany device or system that may benefit from high throughput trafficsimulation testing.

In some embodiments, network equipment test device 102 may include ahardware based device or equipment that is configured to generate andsend packet traffic to DUT 104 via established SSL connections and/orTLS connection for load testing purposes. In some embodiments, networkequipment test device 102 may include a processor 106, a client emulator108, a network interface unit 110, a server emulator 112, and memory120, which includes a cipher manager 122 and a connection engine 124.

In some embodiments, cipher manager 122 is the module in networkequipment test device 102 that is responsible for determining twin primevalues, generating a custom certificate key pair based on the twin primevalues, executing the RSA algorithm, performing bit scanning functions,and handling the CRT functionality. For example, cipher manager 122 isfurther configured to conduct the private decryption processingconsiderably faster by strategically selecting and designating the twinprime values of ‘p’ and ‘q.’ In a test simulation scenario where networkequipment test device 102 is configured to test the SSL connectionestablishment performance of DUT 104, there is no requirement torestrict parameter ‘e’ to as small as 65537 (referring to the exampleabove), thereby stressing DUT 104 to a lesser degree. Notably, a devicesuch as DUT 104 typically possesses more computational processing powerthat can readily process the computational load (e.g., the processingrequired to conduct modular exponentiation with respect to the size ofan exponent in bits) typically associated with public key encryption(e.g., as opposed to a typical browser application). Thus, instead ofsubjecting DUT 104 (which is functioning as the encryption entity) andserver emulator 112 (which is functioning as the decryption entity) tounnecessarily uneven computational loads, cipher manager 122 may selecttwin prime values so that exponents ‘e’ and ‘d’ are ultimately selectedwith nearly the same size while yet satisfying all of the aforementionedsteps (i.e., steps A-D) associated with conducting the RSA algorithm. Byachieving this symmetric computation load, cipher manager 122 may beconfigured to ensure that the computational cost of conducting onepublic encryption operation is commensurate with the computational costof one private decryption operation. Notably, cipher manager 122 isconfigured to ensure that the computational performance exhibited bynetwork equipment test device 102 and/or server emulator 112 never lagsbehind the DUT's computational performance. Accordingly, cipher manager122 is able to maintain a high connection per second rate that stressesan SSL connection engine 128 (which is responsible for establishing SSLconnections) of DUT 104.

Processor 106 may include at least one central processing unit (CPU),microcontroller, or any other hardware based processor unit thatconfigured to manage and facilitate the operation of cipher manager 122and connection engine 124 in network equipment test device 102.Processor 106 may also include memory and various circuits, softwareand/or interfaces for providing the functionality and features describedherein. In some embodiments, network equipment test device 102 mayutilize client emulator 108 to function as a client entity with respectto DUT 104 (i.e., generate and send requests to DUT 104). Similarly,network equipment test device 102 may utilize server emulator 112 tofunction as a server entity with respect to DUT 104 (i.e., receive andservice requests received from DUT 104).

In some embodiments, server emulator 112 may be configured to generatepacket traffic, such as audio traffic data, video traffic data, andother multimedia data. Further, server emulator 112 may be configured togenerate real-time transport protocol (RTP) data that is sent to DUT104. In some embodiments, server emulator 112 may be configured toencrypt the generated packet traffic data being transmitted over anestablished SSL session connection. SSL session connections may beestablished between device 102 and DUT 104 via the handshaking proceduredescribed below and depicted in FIG. 3. Packet traffic that is generatedand encrypted by either client emulator 108 or server emulator 112 isinitially forwarded to network interface unit 110 prior to itstransmission to DUT 104 via connections 114-116 (e.g., an SSLconnection). Although FIG. 1 only depicts a connections 114-116,additional connections existing between network equipment test device102 and DUT 104 may be established without departing from the scope ofthe present subject matter.

In some embodiments, network interface unit 110 may convert the outgoingtest packet traffic from server emulator 112 into an electrical,optical, or wireless signal format that is needed to transmit the testtraffic to DUT 104 via a wire link, an optical fiber, a wireless link,or some other communications link. Similarly, network interface unit 110may receive electrical, optical, or wireless signals from DUT 104 overone or more session connections 114-116 and may be configured to convertthe received signals (e.g., packets) into incoming test traffic in aformat usable by network equipment test device 102. Received packets maybe directed to either client emulator 108 or server emulator 112 bynetwork interface unit 110. For example, server emulator 112 may receivethe incoming test traffic requested from DUT 104 via network interfaceunit 110. In some embodiments, server emulator 112 may also beconfigured to decrypt packet traffic originating from DUT 104.

In some embodiments, network equipment test device 102 comprises aconnection engine 124 that is configured to conduct thenegotiation/handshaking process associated with establishing SSLconnections in a test session. In some embodiments, the SSL based testsession is conducted between network equipment test device 102 and DUT104 at an application layer. For example, connection engine 124 may beused to communicate with a DUT connection engine 128 of DUT 104 (e.g.,via network interface 110) to establish a plurality of SSL connectionsthat may be used to communicate encrypted packet traffic. In someembodiments, server emulator 112 may be configured to conduct an SSLhandshake process with DUT 104 in the event DUT 104 attempts toestablish an SSL connection. An exemplary handshake procedure utilizinga custom key certificate pair generated from twin prime valuesdetermined by cipher manager 122 is described below and depicted in FIG.3.

In some embodiments, cipher manager 122 may include various sessionparameters that may be utilized to establish an SSL session, such as atype of cryptographic suite to be used by cipher manager 122, adesignation of a predefined number of bits for the public RSA modulus, adesignation of a number/size of bits for each of the p and q twin primevalues, and the like. More specifically, cipher manager 122 may beutilized to define the parameters for the custom key-certificate pairvalues to be generated by network equipment test device 102. Forexample, cipher manager 122 may be configured to determine and definetwin prime values (e.g., p and q) to client emulator 108 and serveremulator 112. Notably, cipher manager 122 may execute an algorithm(e.g., see FIG. 2 herein) to generate custom key-certificate pair usinggenerated twin prime values. In some embodiments, cipher manager 122 maybe accessed and programmed by a network operator, a test simulationadministrator, or any other user that seeks to establish parameters fora traffic test simulation conducted between network equipment testdevice 102 and DUT 104.

Network equipment test device 102 further includes memory 120, which cancomprise random access memory (RAM), read only memory (ROM), opticalread/write memory, cache memory, magnetic read/write memory, flashmemory, or any other non-transitory computer readable medium. In someembodiments, processor 106 and memory 120 can be used to execute andmanage the operation of cipher manager 122) and connection engine 124(which are stored in memory 120). In some embodiments, cipher manager122 comprises an algorithm that, when executed by processor 106,performs the operations described in FIG. 2. Similarly, connectionengine 124 may comprise an algorithm, when executed by processor 106,performs the operations described in FIG. 3.

FIG. 2 illustrates a flow chart for generating a custom key certificatepair based on designated twin prime values according to an embodiment ofthe subject matter described herein. For example, method 200 depicted inFIG. 2 may include an algorithm that is performed by cipher manager 122when executed by processor 106 of device 102 (as shown in FIG. 1).

In step 202, cipher manager 122 designates a bit size for the each ofthe twin prime values. For purposes of illustration, cipher manager 122may designate the bit size for each of ‘p’ and ‘q’ to be 512 bits long.In such a scenario, the RSA public modulus ‘n’ is may initially bedesignated by cipher manager 122 as 1024 bits in length.

In step 204, a random integer of the designated bit size is selected. Insome embodiments, cipher manager 122 selects a random integer that isequal to the size determined in step 202. For example, cipher manager122 may select a random number that is 512 bits in length.

In step 206, a determination as to whether the selected random integer(e.g., designated in step 204) is a prime number. More specifically,cipher manager 122 may be configured to ascertain whether the selectedrandom integer is a prime number. If the random integer is a primenumber, then method 200 proceeds to step 208. Otherwise, method 200loops back to step 204.

In step 208, the prime random integer is designated as a ‘q’ twin primevalue. For example, the random integer that is selected in step 204 andidentified as a prime number in step 206 is designated by cipher manager122 as ‘q’.

In step 210, cipher manager 122 is configured to add “2” to the value ofq to generate a twin prime candidate value. In some embodiments, ciphermanager 122 may be configured to add any predefined value (e.g., a smallvalue other than 2) to ‘q’ in order to generate a second twin primecandidate value.

In step 212, cipher manager 122 makes a determination as to whether thetwin prime candidate value generated in step 210 is a prime numberitself. If the twin prime candidate value is a prime number, then method200 proceeds to step 214. Otherwise, method 200 loops back to step 204.

In step 214, cipher manager 122 identifies the twin prime candidatevalue as a prime number and subsequently designates the value as a twinprime ‘p’ value, wherein ‘p’ is equal to q plus the predefined value(e.g., p=q+2).

In step 216, cipher manager 122 utilizes the designated twin primevalues ‘q’ and ‘p’ to generate a custom key certificate pair inaccordance to the RSA algorithm. For example, cipher manager 122utilizes the determined twin prime values as input into the RSAalgorithm to calculate a public modulus ‘n’ and generate a publicexponent (‘e’) and a private exponent (‘d’). Cipher manager 122 mayutilize this generated data to subsequently create the custom keycertificate pair. Notably, cipher manager 122 generate a custom keycertificate pair that includes a public encryption key for (e, n) and aprivate decryption key (d, n) in the manner described above. Aftergenerating the custom key certificate pair using method 200, ciphermanager 122 to distribute the public encryption key and privatedecryption key to server emulator 112 (see FIG. 1). Upon receiving thepublic encryption key and private decryption key, server emulator 112 isnow properly provisioned to establish one or more SSL connectionsinitiated by DUT 104.

Using the algorithm described above and illustrates in FIG. 2, the setof twin primes can be used as RSA primes values. Namely, each of q andp=q+2 is determined and designated by cipher manager 122 to be a twinprime value, while n=q*(q+2) is determined by cipher manager 122 as theRSA public modulus. Accordingly, Φ(n) is determined by cipher manager122 to be equal to q²−1. Next, if cipher manager 122 selects ‘e’ inaccordance to 1<e=q<Φ(n), then step (C) of the RSA algorithm issatisfied since the GCD of (q, q²−1)=1. In this example, q*q=1 mod(q²−1)and thus, the private exponent ‘d’ is also determined by cipher manager122 to be equal to q. Consequently, this results in ‘e’ and ‘d’ being ofequal size bitwise. Since ‘e’=‘d’ bitwise, the computational cost ofexecuting a bit scanning algorithm of modular exponentiation on each of‘e’ and ‘d’ is respectively the same on the encrypting entity (e.g., DUT104) and the decrypting entity (e.g., server emulator 112). While having‘e’ and ‘d’ equal to each other in size is a significant disadvantagefor security purposes in a real/live network environment, such asecurity drawback is immaterial in a testing environment. Rather, from aload testing perspective for conducting SSL connection tests within atest simulation environment, this configuration affords a technicaladvantage of load distribution while still complying with RSAprinciples/requirements.

In some embodiment, CRT implementation of RSA private decryption asperformed by cipher manager 122 involves notable implications. Sincecipher manager 122 has designated i) e=d=q and ii) p=q+2>q, ciphermanager 122 also designates dQ=q mod(q−1)=1 in accordance to CRT.Similarly, cipher manager 122 designates dP=q mod(p−1)=q mod(q+1)=q.Consequently, m2=c¹ mod(q) and m1=c^(q) mod(p). As such, cipher manager122 is configured to invoke the modular exponentiation algorithm only tocompute ‘m1,’ which is computationally proportional to the size of thetwin prime value ‘q’ in bits. Notably, the calculation of ‘m2’ does notrequire any modular exponentiation to be performed by cipher manager122. This relationship demonstrates that the computational cost ofprivate decryption via CRT implementation is approximately equal to thecomputational cost of public encryption. Accordingly, the computationalcosts of private decryption and public encryption are more evenlydistributed between a client entity and a server entity in a testsimulation environment.

FIG. 3 illustrates an exemplary handshake procedure utilizing a customkey certificate pair based on designated twin prime values according toan embodiment of the subject matter described herein. Referring to FIG.3, DUT 104 may issue a secure session request message to server emulator112 in order to initiate the establishment of an SSL connection. Inreply, server emulator 112 sends a response message 302 that includes adigital certificate and the public encryption key (e.g., (e,n)) ofserver emulator 112. Notably, the public key provided to DUT 104 waspreviously generated using twin prime values determined and designatedby device 102 (e.g., via the method 200 described in FIG. 2). Inresponse to receiving message 302, DUT 104 may be configured toauthenticate the digital certificate. Further, DUT 104 can utilize thereceived a public encryption key to encrypt a message that includes arandom symmetric key (e.g., encrypting a message ‘m’ that results in anencrypted cipher message ‘c’) in block 303. DUT 104 subsequently sendsthe encrypted message to server emulator 112 via a client key exchangemessage 304. In response to receiving client key exchange message 304,server emulator 112 conducts the private decryption of the receivedencrypted message in block 305. Notably, server emulator 112 utilizesits own private key (e.g., (d, n)) which was generated using the twinprime values previously determined and designated by device 102 (e.g.,via method 200 in FIG. 2). At this stage, both DUT 104 and serveremulator 112 possess knowledge of the symmetric key and can encryptend-user data communicated between the two devices using the symmetrickey for the duration of the session.

FIG. 4 illustrates a flow chart of a method for increasing the rate ofestablished network connections in a test simulation environmentaccording to an embodiment of the subject matter described hereinaccording to an embodiment of the subject matter described herein. Insome embodiments, method 400 depicted in FIG. 4 comprise an algorithmperformed by a cipher manager that is executed by a processor in networkequipment test device 102. For example, in step 402, a random integer isgenerated by a network equipment test device in a test simulationenvironment. For example, the network equipment test device may comprisea cipher manager that includes a random number generator. In someembodiments, the cipher manager may be configured to generate the randominteger of a specified bit size or length (e.g., 17 bits in length).

In step 404, the generated random integer is designated as a first twinprime value in the event the generated random integer is a prime number.In some embodiments, the cipher manager in the network equipment testdevice determines that the random integer constitutes a prime number.After making such a determination, the cipher manager designates therandom integer as a first twin prime value.

In step 406, the sum of the first twin prime value and a designatedvalue is designated as a second twin prime value in the event thegenerated sum is a prime number. In some embodiments, the cipher managerin the network equipment test device generates the sum of the first twinprime value (e.g., ‘q’) and a designated value (e.g., 2). Aftercalculating the sum, the cipher manager determines whether the generatedsum is a prime number itself. After making such determination, thecipher manager designates the sum as the second twin prime value.

In step 408, the custom key certificate pair is generated. In someexamples, the cipher manager in the network equipment test device usesthe first twin prime value and the second twin prime value to generatethe custom key certificate pair. Notably, the generated custom keycertificate pair includes a public encryption key and a privatedecryption key.

In step 410, at least one message received from the DUT is decryptedusing the private decryption key. The cipher manager in the networkequipment test device uses the private decryption key based on the twinprime values to conduct the decryption of messages received from the DUTin the manner described above.

It should be noted that network equipment test device 102, ciphermanager 122, and/or functionality described herein may constitute aspecial purpose computing device. Further, network equipment test device102, cipher manager 122, and/or functionality described herein canimprove the technological field of encryption and decryptionapplications in a network testing environment. For example, bydetermining and generating twin prime values, private decryption may beperformed more quickly, thereby achieving a rate of SSL connections persecond within security test solution. Further, the approach facilitatedby the disclosed system allows for the custom key-certificate pair(based on the twin prime values) to seamlessly work like any otherkey-certificate pair and does not require any additional coding ormodification to be done.

It will be understood that various details of the presently disclosedsubject matter may be changed without departing from the scope of thepresently disclosed subject matter. Furthermore, the foregoingdescription is for the purpose of illustration only, and not for thepurpose of limitation.

What is claimed is:
 1. A method comprising: generating, by a networkequipment test device in a test simulation environment, a randominteger; designating, by the network equipment test device, thegenerated random integer as a first twin prime value in the event thegenerated random integer is a prime number; designating, by the networkequipment test device, a generated sum of the first twin prime value anda designated value as a second twin prime value in the event thegenerated sum is a prime number; generating, by the network equipmenttest device, a custom key certificate pair that includes a publicencryption key and a private decryption key using the first twin primevalue and the second twin prime value, wherein the custom keycertificate pair is generated by a cipher manager of the networkequipment test device such that a public exponent of the publicencryption key, a private exponent of the private encryption key, andthe first twin prime value are equal; and decrypting, by the networkequipment test device, at least one message received from a device undertest (DUT) using the private decryption key.
 2. The method of claim 1wherein the designated value is equal to
 2. 3. The method of claim 1wherein the network equipment test device is coupled directly to the DUTin the test simulation environment.
 4. The method of claim 1 wherein thenetwork equipment test device sends a first set of packet traffic datato the DUT as a server entity and receives a second set of packettraffic data from the DUT as a client entity.
 5. The method of claim 1wherein the first twin prime value and the second twin prime value areutilized as inputs by an RSA algorithm to generate the public encryptionkey and the private decryption key.
 6. The method of claim 1 wherein themessage received from the DUT includes a client key exchange message. 7.The method of claim 1 including establishing an SSL connection using asymmetric key included in the at least one message.
 8. A systemcomprising: a network equipment test device in the test simulationenvironment configured for generating a random integer, designating thegenerated random integer as a first twin prime value in the event thegenerated random integer is a prime number, designating a determined sumof the first twin prime value and a designated value as a second twinprime value in the event the determined sum is a prime number,generating a custom key certificate pair that includes a publicencryption key and a private decryption key using the first twin primevalue and the second twin prime value, wherein the custom keycertificate pair is generated by a cipher manager of the networkequipment test device such that a public exponent of the publicencryption key, a private exponent of the private encryption key, andthe first twin prime value are equal, and decrypting at least onemessage received from a DUT using the private decryption key.
 9. Thesystem of claim 8 wherein the designated value is equal to
 2. 10. Thesystem of claim 8 wherein the network equipment test device is coupleddirectly to the DUT in the test simulation environment.
 11. The systemof claim 8 wherein the network equipment test device sends a first setof packet traffic data to the DUT as a server entity and receives asecond set of packet traffic data from the DUT as a client entity. 12.The system of claim 8 wherein the first twin prime value and the secondtwin prime value are utilized as inputs by an RSA algorithm to generatethe public encryption key and the private decryption key.
 13. The systemof claim 8 wherein the at least one message received from the DUTincludes a client key exchange message.
 14. The system of claim 8wherein the network equipment test device establishes an SSL connectionusing a symmetric key included in the at least one message.
 15. Anon-transitory computer readable medium having stored thereon executableinstructions that when executed by a processor of a computer control thecomputer to perform steps comprising: generating, by a network equipmenttest device in a test simulation environment, a random integer;designating, by the network equipment test device, the generated randominteger as a first twin prime value in the event the generated randominteger is a prime number; designating, by the network equipment testdevice, a generated sum of the first twin prime value and a designatedvalue as a second twin prime value in the event the generated sum is aprime number; generating, by the network equipment test device, a customkey certificate pair that includes a public encryption key and a privatedecryption key using the first twin prime value and the second twinprime value, wherein the custom key certificate pair is generated by acipher manager of the network equipment test device such that a publicexponent of the public encryption key, a private exponent of the privateencryption key, and the first twin prime value are equal; anddecrypting, by the network equipment test device, at least one messagereceived from a device under test (DUT) using the private decryptionkey.
 16. The non-transitory computer readable medium of claim 15 whereinthe designated value is equal to
 2. 17. The non-transitory computerreadable medium of claim 15 wherein the network equipment test device iscoupled directly to the DUT in the test simulation environment.
 18. Thenon-transitory computer readable medium of claim 15 wherein the networkequipment test device sends a first set of packet traffic data to theDUT as a server entity and receives a second set of packet traffic datafrom the DUT as a client entity.
 19. The non-transitory computerreadable medium of claim 15 wherein the first twin prime value and thesecond twin prime value are utilized as inputs by an RSA algorithm togenerate the public encryption key and the private decryption key. 20.The non-transitory computer readable medium of claim 15 wherein themessage received from the DUT includes a client key exchange message.